LuaBot

LuaBot, similar to Mirai, is a trojan that targets Linux systems, loT devices, and web servers, turning infected systems into bots within a larger botnet controlled by the attacker. This malware appears as an ELF binary targeting ARM platforms, found typically in embedded loT devices. Initially, no malicious functions were found in LuaBot, besides adding devices to a botnet. Then, researchers discovered that a LuaBot module on one device allowed this trojan to perform Layer 7 DDoS attacks. Reverse-engineering the code of this malware reveals that the bot communicates with a C2 server hosted in the Netherlands on the infrastructure of WorldStream.NL. Code was also discovered in LuaBot stating "penetrate_sucuri," which hints at features capable of penetrating Sucuri's Web Application Firewall. Analysis revealed this malware allows the coder to use routers as proxies in order to relay malicious traffic.

Reporting

September 2016: LuaBot discovered as the first DDoS-capable trojan coded in the Lua scripting language. (Softpedia)

September 2016: An interview with the LuaBot malware author is conducted and released. (Medium)

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.